# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ###### # Folder sink for Platform and Component logs of Client Resources # Destination: cloud logging bucket inside logging project apiVersion: logging.cnrm.cloud.google.com/v1beta1 kind: LoggingLogSink metadata: name: platform-and-component-log-client1-log-sink # kpt-set: platform-and-component-log-${client-name}-log-sink namespace: logging annotations: config.kubernetes.io/depends-on: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-client1-log-bucket # kpt-set: logging.cnrm.cloud.google.com/namespaces/logging/LoggingLogBucket/platform-and-component-${client-name}-log-bucket spec: folderRef: name: clients.client1 # kpt-set: clients.${client-name} namespace: hierarchy includeChildren: true destination: loggingLogBucketRef: # destination.loggingLogBucketRef # Only `external` field is supported to configure the reference. external: platform-and-component-client1-log-bucket # kpt-set: logging.googleapis.com/projects/${logging-prj-id}/locations/northamerica-northeast1/buckets/platform-and-component-${client-name}-log-bucket description: Folder sink for Client Platform and Component logs # kpt-set: Folder sink for ${client-displayname} Platform and Component logs # AU-2, AU-12(A), AU-12(C) # Includes the following types of logs: # Cloud DNS, Cloud NAT, Firewall Rules, VPC Flow, and HTTP(S) Load Balancer # These logs are not enabled by default. They are enabled inside the client-experimentation package: # https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/project/project-experimentation filter: |- LOG_ID("dns.googleapis.com/dns_queries") OR (LOG_ID("compute.googleapis.com/nat_flows") AND resource.type="nat_gateway") OR (LOG_ID("compute.googleapis.com/firewall") AND resource.type="gce_subnetwork") OR (LOG_ID("compute.googleapis.com/vpc_flows") AND resource.type="gce_subnetwork") OR (LOG_ID("requests") AND resource.type="http_load_balancer") # Excludes all Security logs: Cloud Audit, Access Transparency, and Data Access Logs exclusions: - description: Exclude Security logs disabled: false filter: |- LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/data_access") OR LOG_ID("externalaudit.googleapis.com/data_access") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/policy") OR LOG_ID("externalaudit.googleapis.com/policy") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency") name: exclude-security-logs